The hypothesis is that the detected URLs are associated with the Mozi malware family, which is used to deliver payloads and establish command and control channels. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections and exfiltration activities early.
IOC Summary
Threat: Mozi Total URLs: 7 Active URLs: 7
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://27.215.110.170:36350/i | online | malware_download | 2026-04-18 |
hxxp://125.41.169.214:35752/i | online | malware_download | 2026-04-18 |
hxxp://125.41.6.169:56221/i | online | malware_download | 2026-04-18 |
hxxp://115.58.157.39:33156/i | online | malware_download | 2026-04-18 |
hxxp://125.41.6.169:56221/bin.sh | online | malware_download | 2026-04-18 |
hxxp://125.41.169.214:35752/bin.sh | online | malware_download | 2026-04-18 |
hxxp://219.155.224.101:41959/i | online | malware_download | 2026-04-18 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: Mozi
let malicious_domains = dynamic(["115.58.157.39", "27.215.110.170", "125.41.6.169", "125.41.169.214", "219.155.224.101"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["115.58.157.39", "27.215.110.170", "125.41.6.169", "125.41.169.214", "219.155.224.101"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update or patching job that downloads a Mozi-related URL from a trusted source (e.g., Microsoft Update or a known security tool repository)
Filter/Exclusion: Check the source IP or domain against a trusted list (e.g., using src_ip in [trusted_update_servers] or domain in [trusted_domains])
Scenario: A scheduled job for endpoint detection and response (EDR) tool synchronization (e.g., CrowdStrike Falcon, Microsoft Defender ATP) that uses a Mozi-related URL for signature updates
Filter/Exclusion: Filter by process name (e.g., process.name = "CrowdStrikeFalcon.exe" or process.name = "MsDefenderATP.exe") or use a custom tag like tag = "trusted_synchronization"
Scenario: A system administrator manually testing a Mozi-related URL as part of a red team exercise or security training simulation
Filter/Exclusion: Use a custom tag like tag = "security_training" or tag = "red_team_activity" to exclude these test URLs
Scenario: A backup or restore job that temporarily uses a Mozi-related URL to access a secure internal repository (e.g., using a tool like Veeam or Acronis)
Filter/Exclusion: Filter by process name (e.g., process.name = "VeeamBackup.exe" or process.name = "AcronisTrueImage.exe") or check for a specific command-line argument indicating a backup task
Scenario: A legitimate security tool (e.g., Cisco Talos Intelligence, CrowdStrike) that uses a Mozi-related URL for threat intelligence sharing or signature updates
Filter/Exclusion: Use a custom tag like tag = "threat_intel_tool" or check the process name against a list of known security tool executables (e